[unisog] RPC Vulnerability: Patching Policies?

Phil.Rodrigues at uconn.edu Phil.Rodrigues at uconn.edu
Fri Aug 8 16:24:28 GMT 2003


We are really going to try to get our "NetReg Penalty Box" up and running 
for this task.

Once people are registered normally, we will scan them with nessus and 
email them what the issue is and how to fix it.  They get X days to 
respond.  Then their MAC address gets taken from the "known" pool and put 
into the "badboy" pool, where they get served an internal IP address and 
are given a DNS entry that points them to a standard notice.  When they 
hit it, it triggers another nessus scan, and they are told what the 
problem is and are given a link to fix it (the link points to an 
internally hosted file since they have a 10.x address).

They keep coming back to that page every time they open their browser 
until they scan as clean.  Then their MAC is put back in the "known" pool 
and they get a public IP address.

I know other schools have something like this now.  If anyone has done 
this with the standard NetReg package let me know.  I think it is doable - 
we just need time to do it. :-)  Automatic is the key - we can not call 
10,000 people.

Phil

=======================================
Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues at uconn.edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu
=======================================





Allen Chang <allen at rescomp.berkeley.edu>
08/08/2003 03:05 AM

 
        To:     unisog at sans.org
        cc: 
        Subject:        [unisog] RPC Vulnerability: Patching Policies?


Hi everyone,

As the semester system schools get ready for the influx of residents
living in the dorms, I'm sure you're all thinking about how to handle the
Windows RPC Vulnerability on student-owned computers.

These are our preliminary ideas and we're wondering what other people have
thought of:

1) Aggressively scan the network for unpatched/compromised computers using
some sort of tool

2) Disconnect any unpatched/compromised computers from the network

3) Require patching before letting them back on.

Sounds easy in theory. But implementation is going to be a mess on a
network with 6,000 computer. A few challenges we see:

-Working hours needed to identify and remove computers

-Verifying that the computer has been patched

-Working hours needed to put them back on the network.


Allen Chang
Lead Network Security Coordinator
Office of Residential Computing
UC Berkeley





More information about the unisog mailing list